Jangwon Choi

A malware collection and analysis framework based on darknet traffic

Since a darknet is a set of unused IP addresses(i.e., no real hosts are operated with them), we are unable to observe the network traffic on it generally. In many cases, however, attackers or infected hosts by some malwares send their attack codes to the target systems or networks at random. Because of this, the darknet gives us the good opportunity to monitor malicious activities that are happening on the Internet. By analyzing the darknet traffic, it is able to get an insight into recent attack trends, but there is a fatal limitation that most of the darknet traffic have no payload data. This means that we cannot collect the real attack codes from the original darknet traffic. In this paper, we propose a malware collection and analysis framework based on the darknet traffic. With the proposed framework, it is able to get real attack codes in the wild and to respond against potential cyber attacks using them. Our experimental results on the real network environments show the effectiveness of the proposed framework.

Agent-Based Autonomous Scheduling Mechanism Using Availability in Desktop Grid Systems

This paper addresses scheduling strategies to achieve high performance in desktop grid systems. The recent desktop grid systems can be characterized by decentralized control, large scale and extreme dynamism of their computation environment. In the environment of high throughput desktop grid systems, the volatility of volunteers, and the decentralized nature of desktop grid systems pose significant challenges. Our approach makes use of autonomous scheduling mechanisms on a computational overlay network to meet these challenges. However, current approaches to utilizing desktop resources require either centralized servers, or extensive knowledge of the underlying system, limiting scalability and performance. In this paper an agent-based autonomous scheduling (ABAS) mechanism on a computational overlay network is proposed to further improve performance through adaptive behavior of agents which have replication, migration, and checkpointing scheme. Performance evaluation demonstrates that the proposed scheduling mechanism improves throughput using Korea@Home

Visualization of Intrusion Detection Alarms Collected from Multiple Networks

A Cyber Security Operations Center (CSOC) is a facility where target networks are monitored, analyzed and defended. To detect suspected intrusions, it in general installs an Intrusion Detection System (IDS) at a strategic point within each target network. Security operators in a CSOC should check and analyze security event logs generated by IDSs as fast as they could. However, the amount of security events detected by IDSs of a CSOC is massively increasing owing to ever-increasing cyber threats. It goes beyond the control of security operators using a text-based user interface (TUI) that an IDS typically provides.

Visualization of security event logs across multiple networks and its application to a CSOC

We introduce VisIDAC presented in Song at al (In: Nguyen, P.Q., Zhou, J. (eds.) Information Security—20th International Conference, ISC 2017, Security and Cryptology, vol. 10599. Springer International Publishing, 2017), which is a 3-D real-time visualization of security event log collection detected by intrusion detection systems installed in multiple networks. VisIDAC consists of three parallel plane-squares which represent global source networks, target networks, and global destination networks. Security events are displayed in different shapes, colors and spaces, according to their main features. It helps security operators to immediately understand the key properties of security events. We also apply VisIDAC to a public cyber security operations center, Science and Technology Cyber Security Center (S&T-CSC), and demonstrate its usefulness. VisIDAC allows users to grasp more intuitively the overall flow of security events and their trend, makes it easy to recognize large-scale security events such as network scanning, port scanning, and distributed denial of service attacks, and is also effective to distinguish security event types: which target network they are related to; whether they are inbound or outbound traffic; whether they are momentary or continuous; and what protocol and port number are mainly used.

Detecting Black IP Using for Classification and Analysis Through Source IP of Daily Darknet Traffic

Recently, the community is recognizing to an importance of network vulnerability. Also, through the using this vulnerability, attackers can acquire the information of vulnerable users. Therefore, many researchers have been studying about a countermeasure of network vulnerabillty. In recent, the darknet is a received attention to research for detecting action of attackers. The means of darknet are formed a set of unused IP addresses and no real systems of connect to the darknet. In this paper, we proposed an using darknet for the detecting black IPs. So, it was choosen to classification and analysis through source IP of daily darknet traffic. The proposed method prepared 8,192 destination IP addresses in darknet space and collected the darknet traffic during 1 months. It collected total 277,002,257 in 2016, August. An applied results of the proposed process were seen for an effectiveness of pre-detection for real attacks.

A Lightweight Malware Classification Method Based on Detection Results of Anti-Virus Software

With the development of cyber threats on the Internet, the number of malware, especially unknown malware, is also dramatically increasing. Since all of malware cannot be analyzed by analysts, it is very important to find out new malware that should be analyzed by them. In order to cope with this issue, the existing approaches focused on malware classification using static or dynamic analysis results of malware. However, the static and the dynamic analyses themselves are also too costly and not easy to build the isolated, secure and Internet-like analysis environments such as sandbox. In this paper, we propose a lightweight malware classification method based on detection results of anti-virus software. Since the proposed method can reduce the volume of malware that should be analyzed by analysts, it can be used as a preprocess for in-depth analysis of malware. The experimental showed that the proposed method succeeded in classification of 1,000 malware samples into 187 unique groups. This means that 81% of the original malware samples do not need to analyze by analysts.

Design and Implementation of Authentication Information Synchronization System for Providing Stability and Mobility of Wireless Authentication

According to increasing the wireless network infrastructure and diffusion of mobile devices, the education environments equipped with mobile devices are gradually spreading in the field. The basic method to support stable wireless services in these education environments is to use wireless authentication technologies. The current education environments in Korea have been provided wireless authentication services with only unit of local areas. Accordingly, users cannot access the wireless network infrastructure for education in other areas outside local areas and thus the infrastructure is vulnerable to failures due to the lack of resource management and the absence of a backup authentication system for entire areas. In this paper, we suggest a Authentication Information Synchronization System (AISS) for stability and mobility.

Comparative analysis of darknet traffic characteristics between darknet sensors

Today, Internet is incessantly attacked by wide variety of network-based threats. One of the ways to monitor or identify such prevailing threats is to monitor incoming traffic to unused network addresses popularly known as darknet and often also referred with various other names like network telescope or black hole. As, all the traffic arriving at darknet is mainly the result from malicious probing or mis configuration in the network. It is expected that to have similar incoming traffic behaviour across different darknet sensors, however, various studies found it different. Various reason cited behind it is misconfiguration, certain kind of attack, difference in filtering parameter or system configuration itself. However, concrete reason beside this is still missing. In this regard, to get further understanding, in this study, we performed deeper comparative analysis between two darknet sensors (KISTI Darknet network) that are differently located but have similar filtering and system configuration. Comparative analysis considering total incoming packet, number of source host, targeting destination port and protocol revealed that there exists wide difference in incoming traffic characteristics between the darknet sensors. Moreover, for TCP and UDP comparison, UDP traffic showed more targeting behaviour to particular darknet block (difference in traffic characteristics between darknet sensors), in contrast to it, TCP traffic showed more scanning behaviour (similarity in traffic characteristics between darknet sensor).

MTRMS: mutual-trust-based reputation management system in community-based peer-to-peer environment

Light-scatter smoke detector, depending from the ceiling of a room, has a base unit with a battery to power an infra-red light source and infra-red light sensor, both of which are located in an upper element. A lower element has a surface corresponding to the exterior of a cone, and forming the base of a chamber. A surface makes, with a frusto-conical surface of the upper element, an annular wedge-shaped recess to chamber, this recess facing both source and sensor. The surfaces have a matt-black coating to promote energy absorption, so that the recess inhibits any light entering it from ever re-emerging. The stream of air flowing through the detector is monitored in the central chamber for the presence of smoke particles, by the sensor watching for light which originated from the source being scattered by smoke particles in the chamber and arriving at the sensor.